flare-emu marries IDA Pro’s binary analysis capabilities with Unicorn’s emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks. It is designed to handle all the housekeeping of setting up a flexible and robust emulator for its supported architectures so that you can focus on solving your code analysis problems. Currently, flare-emu supports the x86, x86_64, ARM, and ARM64 architectures.[…]

In this tutorial you will learn how to use Unicorn Engine by solving practical exercises. There are 4 exercises and I will solve the first exercise for you. For the others I am providing hints and solutions, which you can obtain by clicking the spoiler buttons.[…]

[…]Unicorn Mode works by implementing the block-edge instrumentation that AFL’s QEMU Mode normally does into Unicorn Engine. Basically, AFL will use block coverage information from any emulated code snippet to drive its input generation. The whole idea revolves around proper construction of a Unicorn-based test harness, as shown in the figure below:

Nguyen Anh Quynh announced the 1.0.1 release of the Unicorn CPU Emulator.

[unicorn-engine] Unicorn Emulator v1.0.1 is out!We are excited to announce version 1.0.1 for Unicorn CPU Emulator framework! This is a stable release, in which we fixed some issues in the core, added some features on Arm, Arm64, Mips & X86. […]

[…] This is when I had an idea! How about creating an EFI emulator and debugger using the Unicorn Engine framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated. And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. […]

ARM Shellcode Generator: Shellcodes for ARM/Thumb mode. Ideas came from shell-storm and pwntools/pwnies. Thanks to share all of brilliant sources on the net. I’m interested in mobile platform and archtecture like Android on ARM, Router on MIPS and so on. This project named ARMSCGen focus on shellcode on ARM Architecture especially ARMv7 Thumb Mode.

ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks. It adopts a set of different techniques to analyze ROP chains and reconstruct their equivalent code in a form that can be analyzed by traditional reverse engineering tools. In particular, it is based on memory forensics (as its input is a physical memory dump), code emulation (to faithfully rebuild the original ROP chain), multi-path execution (to extract the ROP chain payload), CFG recovery (to rebuild the original control flow), and a number of compiler transformations (to simplify the final instructions of the ROP chain). Specifically, the memory forensics part is based on Volatility plugins. The emulation and the multi-path part is implemented through the Unicorn emulator. […]

Hugsy has created cemu, the Cheap EMUlator that shellcoders will enjoy:

Cheap EMUlator is a simple tool to combine together all the features of Keystone, Unicorn and Capstone engines in a Qt powered GUI. It allows to test binary samples, check your shellcodes or even simply learn how to write assembly code, all of this for the following architectures:

Pre-Requisites: unicorn and its Python bindings, as the emulation engine keystone and its Python bindings, as the assembly engine capstone and its Python bindings, as the disassembly engine PyQt5 for the GUI pygments for the text colorization

Nguyen Anh Quynh announced the Keystone Engine Project, with an IndieGogo funding campaign to help them:

We are very excited to announce our IndieGogo campaign for Keystone Engine, the next-gen assembler framework! After Capstone & Unicorn, Keystone is the latest of our on-going effort to bring better tools to the reverse-engineering community. Now with the final missing piece Keystone, we complete the magical trilogy of disassembler – emulator – assembler. Come support us, and help to spread the news, so together we can solve the lingering problem of missing the assembler framework once, and for all! The Keystone name came from some private conversation with Felix “FX” Lindner. Thanks for such a great inspiration, FX!

Unicorn was announced at BlackHat this Summer, and the source for this open source project just got released. Looking forward to using this to debug firmware …but even though it is based on QEMU, I don’t see how to Unicorn to work with OVMF. If someone knows how, please post a Comment with info!